Alias:I-Worm.Torvil.b, W32/Torvil@MM, W95/Swen.A@mm, W32.Swen.A@mm
Type:Worm 
Size: 
Origin: 
Date:00-00-0000 
Damage:Sent by email 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm collects email contacts from files with the following extensions:
INBOX
HTML
MBOX

The email sent by the worm contains:
Subject: composed out of the following parts:
Hi,
Hello,
FW
RE:

followed by:
Undeliverable mail--
Returned mail--
The following mail can't be sent to
The file is the original mail
here is a nice Picture
Have a look the Pic attached !!
here's the document
here's the document you requested
here's the document that you had requested.
security@microsoft.com
security@securityfocus.com
Use this patch immediately !
Next Critical Vulnerability Patch!

Body:
Hello,
You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023. It's important that you apply the fix now since we estimate the Buffer Overflow is at a Critical Level.
Sincerely Yours
The Security Team

Attachment:
document.pif
thank_you.pif
her_details.pif
funny_guy.pif
wicked_screensaver.scr
movie0045.pif
torvil.pif
Q723523_W9X_WXP_x86_EN.exe

Technical DetailsWhen activated, Worm/Torvil.B copies itself as:
%WinDIR%\Spoolxx.exe
%WinDIR%\SMSSxx.exe
%WinDIR%\svchost.exe

It makes the registry entries: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ServiceHost"="%WinDIR%\spoolxx.exe" KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ OneLevelDeeper"Service Host"="%WinDIR%\spoolxx.exe"
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "ServiceHost"="C:\%WinDIR%\svchost.exe"

It also enters:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Shell"="explorer.exe spoolxx.exe"

The worm copies itself into the sahred directory of the following programs:
ed2k-it
Xolox
Kazaa
and into: C:\%WinDIR%\mstorvil.{21EC2020-3AEA-1069-A2DD-08002B30309D}, which contains the following strings:
ACDSee32 v2.41
Adobe Encore DVD 1.0
BearShare Pro v4.0.1
BestCrypt v7.08.1
Cultures 3 Northland
Colin McRae Rally 4
DivX Pro 5.1
DVD X Studios CloneDVD 1.25
Dragons Lair 3D Multilanguage
Empereur L
Empire du Milieu - Mise a Jour
EasyRecovery v1.1.01
iMesh v3.0b Ad Remover
Norton AntiVirus 2004
Star Wars Jedi Knight Jedi Academy
Tony Hawks Pro Skater 4 Multilanguage NoCD
You dont know Jack 4
Zone Alarm Pro 4.0

followed by Cracker.exe.
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .